Enabling certificate revocation list support in Java in AMS

To enable CRL support in Advanced Message Security, you must modify the keystore configuration file to allow AMS to download CRLs from the Lightweight Directory Access Protocol (LDAP) server and configure the java.security file.

Procedure

  1. Add the following options to the configuration file:
    Header Description
    crl.ldap.host=host_name LDAP host name.
    crl.ldap.port=port_number LDAP server port number.

    You can specify up to 11 servers. Multiple LDAP hosts are used to ensure transparent failover in case of LDAP connection failure. It is expected that all LDAP servers are replicas and contain the same data. When the AMS Java interceptor successfully connects to an LDAP server, it does not attempt to download CRLs from the remaining servers provided.

    Java does not use crl.ldap.user and crl.ldaworldp.pass values. It does not use a user and password when connecting to an LDAP server. As a consequence, CRL attributes in LDAP must be world-readable.

    crl.cdp=on/off Use this option to check or use CRLDistributionPoints extensions in certificates.
  2. Modify the JRE/lib/security/java.security file with the following properties:
    Property Name Description
    com.ibm.security.enableCRLDP This property takes the following values: true, false.

    If it is set to true, when doing certificate revocation check, CRLs are located using the URL from CRL distribution points extension of the certificate.

    If it is set to false or not set, checking CRL by using the CRL distribution points extension is disabled.

    ibm.security.certpath.ldap.cache.lifetime This property can be used to set the lifetime of entries in the memory cache of LDAP CertStore to a value in seconds. A value of 0 disables the cache; -1 means unlimited lifetime. If not set, the default lifetime is 30 seconds.
    com.ibm.security.enableAIAEXT This property takes the following values: true, false.

    If it is set to true, any Authority Information Access extensions that are found within the certificates of the certificate path being built are examined to determine whether they contain LDAP URIs. For each LDAP URI found, an LDAPCertStore object is created and added to the collection of CertStores that is used to locate other certificates that are required to build the certificate path.

    If it is set to false or not set, additional LDAPCertStore objects are not created.